b"September 2005\nReport No. 05-038\n\n\nDivision of Supervision and Consumer\nProtection\xe2\x80\x99s Risk-focused Compliance\nExamination Process\n\x0c                                                                                              Report No. 05-038\n                                                                                                September 2005\n                                   Division of Supervision and Consumer Protection\xe2\x80\x99s\n                                   Risk-Focused Compliance Examination Process\n                                   Results of Audit\n\nBackground and                     We found that DSC examiners generally complied with the policies and\nPurpose of Audit                   procedures related to risk-scoping compliance examinations and that the Risk\n                                   Profile and Scoping Memorandums prepared by examiners provided an adequate\nThe FDIC is responsible for\n                                   basis for planned examination coverage. The examiners reviewed bank policies,\nevaluating financial institution   procedures, disclosures, and forms for compliance with consumer protection\ncompliance with consumer           laws and regulations for each examination we reviewed and planned for\nprotection laws and                transaction testing or spot checks in all compliance areas over the course of two\nregulations. To evaluate           consecutive examinations \xe2\x80\x93 a period of 2 to 6 years, depending on an\ncompliance, the FDIC               institution\xe2\x80\x99s size and ratings. Additionally, examiners conducted transaction\nconducts examinations of           testing or spot checks in those areas for which violations had been found at\ninstitutions\xe2\x80\x99 compliance           previous compliance examinations.\npractices. In June 2003, the\nFDIC\xe2\x80\x99s Division of                 However, we found that examination documentation did not always show the\nSupervision and Consumer           transaction testing or spot checks conducted during the on-site portion of the\nProtection (DSC) revised its       examinations, including testing to ensure the reliability of the institutions\xe2\x80\x99\nprogram for examining              compliance review functions. Examiners also did not always document whether\ninstitutional compliance with      the examination reviewed all the compliance areas in the planned scope of\nconsumer protection laws and       review. As a result, DSC cannot assure that the extent of testing was appropriate\nregulations. Under the new         except for those areas in which examiners had identified violations and included\nprogram, DSC compliance            them in Reports of Examination.\nexaminations combine a risk-\nbased examination process\nwith an in-depth evaluation of     Recommendation and Management Response\nan institution\xe2\x80\x99s compliance\nmanagement system, resulting       We recommended that DSC clarify and reinforce requirements that examiners\nin a top-down, risk-focused        adequately document the scope of the work performed, including transaction\napproach to examinations.          testing and spot checks of the reliability of the institutions\xe2\x80\x99 compliance review\n                                   functions, during the on-site portions of compliance examinations. FDIC\nThe overall audit objective        management agreed with the recommendation and has taken corrective action.\nwas to determine whether\nDSC\xe2\x80\x99s risk-focused                                             Consumer Protection Laws and Regulations\ncompliance examination                               Lending                                              Specialty\nprogram results in                 Truth in Lending                               Community Reinvestment Act Technical Requirements\nexaminations that are              Equal Credit Opportunity Act                   Advertising of Membership\n                                   Flood Insurance                                Branch Closings\nadequately planned and             Real Estate Settlement Procedures Act          Right to Financial Privacy\neffective in assessing financial   Fair Credit Reporting                          Privacy of Consumer Financial Information\ninstitution compliance with        Credit Practices Rule                          Non-Deposit Products\n                                   Fair Housing Act                               Electronic Banking\nconsumer protection laws and       Homeownership Counseling                       Fair Debt Collection Practices\nregulations.                       Homeowners Protection Act                      Interstate Banking & Branching Efficiency Act\n                                   Home Mortgage Disclosure Act                   Children\xe2\x80\x99s Online Privacy Protection Act\n                                   Preservation of Consumer Claims and Defenses\n                                   Consumer Leasing\n                                                                                Deposit\n_____________________                                               Electronic Funds Transfer\n                                                                    Truth in Savings\n__                                                                  Expedited Funds Availability\nTo view the full report, go to                                      Interest on Deposits\nwww.fdicig.gov/2005reports.asp     Source: DSC Compliance Examination Manual.\n\x0c                            TABLE OF CONTENTS\nBACKGROUND                                                               1\n\nRESULTS OF AUDIT                                                          3\n\nDOCUMENTATION OF ON-SITE TESTING PERFORMED DURING                         5\nCOMPLIANCE EXAMINATIONS\n\n     Documenting Compliance Examination Findings and Transaction          5\n     Testing\n\n      Documenting Reviews of Institutions\xe2\x80\x99 Compliance Review Functions   6\n\n      Examiner Documentation of On-site Transaction Testing and           6\n      Spot Checks\n\n      Recommendation                                                      7\n\nCORPORATION COMMENTS AND OIG EVALUATION                                  7\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                            8\n\nAPPENDIX II: RISK-FOCUSED COMPLIANCE EXAMINATION                         11\n             GUIDELINES\n\nAPPENDIX III: SIGNIFICANT VIOLATIONS CONTAINED IN THE                    12\n              REPORTS OF EXAMINATION FOR THE SAMPLE\n              BANKS\n\nAPPENDIX IV: CORPORATION COMMENTS                                        13\n\nAPPENDIX V: MANAGEMENT RESPONSE TO                                       15\n            RECOMMENDATION\n\nTABLES\nTable 1: Consumer Protection Laws and Regulations                        2\nTable 2: Audit Results on Risk-focused Compliance Examinations           4\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n801 17th Street NW, Washington, DC 20434                                             Office of Inspector General\n\n\nDATE:                              September 23, 2005\n\n\nMEMORANDUM TO: Christopher J. Spoth, Acting Director\n               Division of Supervision and Consumer Protection\n\n\n\nFROM:                              Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                   Assistant Inspector General for Audits\n\n\nSUBJECT:                           Division of Supervision and Consumer Protection\xe2\x80\x99s Risk-focused\n                                   Compliance Examination Process\n                                   (Report No. 05-038)\n\n\nThis report presents the results of our audit of the Federal Deposit Insurance Corporation (FDIC)\nDivision of Supervision and Consumer Protection\xe2\x80\x99s (DSC) process for risk-focused compliance\nexaminations of FDIC-supervised institutions. The overall audit objective was to determine\nwhether DSC\xe2\x80\x99s risk-focused compliance examination process results in examinations that are\nadequately planned and effective in assessing financial institution compliance with consumer\nprotection laws and regulations. Specifically, we determined whether DSC examiners are\nadequately risk-scoping compliance examinations, conducting appropriate levels of transaction\ntesting, and making sound risk-scoping decisions in relying on the work of the financial\ninstitutions\xe2\x80\x99 internal or external compliance review functions. Appendix I of this report\ndiscusses our objective, scope, and methodology in detail.\n\nBACKGROUND\n\nThe FDIC is responsible for evaluating FDIC-supervised financial institutions\xe2\x80\x99 compliance with\nfederal consumer protection laws and regulations, including institutional performance under the\nCommunity Reinvestment Act (CRA). To evaluate compliance, the FDIC conducts\nexaminations of institutional practices regarding fair lending, privacy, and other consumer\nprotection laws. During the compliance examination, examiners must ensure that institutions\nhave adequately addressed all areas related to the rules and regulations listed in Table 1 on the\nfollowing page.\n\x0cTable 1: Consumer Protection Laws and Regulations\n                      Lending                                                  Specialty\n    Truth in Lending                                  Community Reinvestment Act Technical Requirements\n    Equal Credit Opportunity Act                      Advertising of Membership\n    Flood Insurance                                   Branch Closings\n    Real Estate Settlement Procedures Act             Right to Financial Privacy\n    Fair Credit Reporting                             Privacy of Consumer Financial Information\n    Credit Practices Rule                             Non-Deposit Products\n    Fair Housing Act                                  Electronic Banking\n    Homeownership Counseling                          Fair Debt Collection Practices\n    Homeowners Protection Act                         Interstate Banking & Branching Efficiency Act\n    Home Mortgage Disclosure Act                      Children\xe2\x80\x99s Online Privacy Protection Act\n    Preservation of Consumer Claims and Defenses\n    Consumer Leasing\n                                                 Deposit\n                                          Electronic Funds Transfer\n                                          Truth in Savings\n                                          Expedited Funds Availability\n                                          Interest on Deposits\n    Source: DSC Compliance Examination Manual.\n\n\n\nNoncompliance with these laws and regulations by financial institutions can result in civil\nliability and negative publicity as well as the FDIC\xe2\x80\x99s imposition of formal or informal\nsupervisory corrective actions to correct the identified violations. Some consumer protection\nlaws and regulations require financial institutions to provide consumers with information\nintended to help in making informed decisions about financial services and products. As part of\nthe compliance examination process, the FDIC reviews the information and disclosures that are\nprovided to consumers by FDIC-supervised institutions in accordance with consumer protection\nlaws and regulations. Also, DSC considers an institution's compliance with fair lending, privacy,\nand other consumer protection laws and its performance under the CRA when reviewing an\ninstitution's application for entry into or expansion within the insured depository institution\nsystem. During the 2-year period from July 1, 2003 through June 30, 2005, DSC conducted\n4,153 compliance and CRA examinations.\n\nIn June 2003, DSC revised its program for examining institutions for compliance with consumer\nprotection laws and regulations. Under the Revised Compliance Examination Procedures\n(Transmittal No. 2003-021, dated June 6, 2003), DSC compliance examinations combined a risk-\nbased examination process with an in-depth evaluation of an institution\xe2\x80\x99s compliance\nmanagement system (CMS),1 resulting in a top-down, risk-focused approach to examinations.\nThe risk-focused approach is intended to make the examination process more effective and\nefficient and reduce the examination burden on banks. The risk-focused approach also helps\nexaminers in determining the depth of review of each functional area and improves the\nconsistency of analysis across regional and field offices. The risk-focused approach recognizes\nthat the banking industry\xe2\x80\x99s compliance responsibilities continue to grow and become more\ncomplex with changes in financial products and services. Moreover, the focus on an institution\xe2\x80\x99s\n\n1\n A financial institution uses its CMS to identify, monitor, and manage its compliance responsibilities and risks. A\nCMS includes (1) management and director oversight; (2) a compliance program (policies and procedures, training,\nmonitoring, and complaint response); and (3) audit procedures applied by the institution\xe2\x80\x99s internal or external\ncompliance review function.\n                                                         2\n\x0ccompliance program places emphasis on the institution\xe2\x80\x99s responsibility to ensure it complies with\nconsumer protection laws.\n\nEffective June 30, 2004, DSC made additional modifications to the examination procedures as\nthey relate to the contents of the Report of Examination and the risk-focused planning documents\n\xe2\x80\x93 the Risk Profile and Scope Memorandum (RPSM) and the Compliance Information and\nDocument Request (CIDR). Appendix II provides a detailed description of these modifications.\n\nCompliance examinations are conducted every 12 to 36 months, depending on an institution\xe2\x80\x99s\nsize and the compliance and CRA ratings assigned at the most recent examination.2 Each\ncompliance regulation and law is not reviewed at every compliance examination. If no\ntransaction testing in a particular regulatory area has been conducted in the previous\nexamination, a spot check should be conducted at the current examination, even if there are no\nrisk indicators.3 For reporting purposes, the risk-focused examination approach combines the\nresults of the CRA evaluation and the compliance examination into one report when CRA\nperformance is evaluated at alternate examinations. The single report focuses on an institution\xe2\x80\x99s\nCMS and includes only significant violations. (Appendix III provides the significant violations\nfound during the compliance examinations for the banks in our sample.) Examiners identify\nother violations separately to bank management, and they are tracked by the FDIC.\n\n\nRESULTS OF AUDIT\n\nWe found that DSC examiners generally complied with the policies and procedures related to\nrisk-scoping compliance examinations and that the RPSMs prepared by examiners provided an\nadequate basis for planned examination coverage. The examiners reviewed bank policies,\nprocedures, disclosures, and forms for compliance with consumer protection laws and\nregulations for each examination we reviewed and planned for transaction testing or spot checks\nin all compliance areas over the course of two consecutive examinations \xe2\x80\x93 a period of 2 to\n6 years, depending on an institution\xe2\x80\x99s size and ratings.\n\nHowever, we found that examination documentation did not always show the transaction testing\nor spot checks conducted during the on-site portion of the examinations, including testing to\nensure the reliability of the institutions\xe2\x80\x99 compliance review functions. Also, examiners did not\nalways document whether the examination had reviewed all the compliance areas in the planned\nscope of review. As a result, DSC cannot assure that the extent of testing was appropriate except\nfor those areas in which examiners had identified violations and included them in Reports of\nExamination. Table 2 on the next page shows the components of a risk-focused compliance\nexamination and our related audit results.\n\n\n\n\n2\n  Regional Director Memorandum No. 00-001 entitled, Revisions to the Compliance and CRA Examination\nFrequency Schedule, dated September 19, 2000, revised the examination frequency schedule for compliance and\nCRA examinations to address statutory changes contained in the Gramm-Leach-Bliley Act of 1999.\n3\n  Transaction testing involves reviewing a sample of transactions, while spot checks involve reviewing a few\ntransactions.\n                                                       3\n\x0cTable 2: Audit Results on Risk-focused Compliance Examinations\n     Risk-focused\n     Compliance\n                                    Component Description                            Results of Audit\n     Examination\n     Component\n                                                                    Examiners generally complied with policies\n                           In preparing for a compliance examination,\n                           examiners send each bank a Compliance    and procedures related to risk-scoping\n                           Information and Document Request that    compliance examinations, in that:\n                           provides examiners with sufficient       (1) justification for the extent of the work to\n                                                                    be conducted for each compliance area was\n                           information to begin an off-site evaluation\n                           of an institution\xe2\x80\x99s compliance managementprovided in the RPSMs, (2) a justification\n                                                                    for areas not tested during the examination\n                           system. At this point, emphasis is placed on\nOff-site CMS Review                                                 was documented, (3) areas not tested at the\n                           reviews of written practices, policies, and\n                                                                    previous examination were included in the\n                           procedures; bank forms and disclosures; and\n                           bank audit data. This off-site review    current examination scope for transaction\n                                                                    testing or spot checks, and (4) areas for\n                           provides the initial assessment of the quality\n                                                                    which violations had been found at previous\n                           of an institution\xe2\x80\x99s CMS in light of the risks\n                                                                    compliance examinations were included in\n                           associated with the level and complexity of\n                           the institution\xe2\x80\x99s business operations andthe scope of the current examination for\n                           product and service offerings.           transaction testing or spot checks.\n                                                                    Examiners generally complied with risk-\n                           The results of the off-site assessment of the\n                           CMS, to include the proposed on-site     scoping documentation requirements, as\n                           testing plan, are documented in the RPSM.follows: (1) requirements for preparing the\n                           The RPSM is designed to assess the CMS,  RPSM were met for the banks in our\n                           operational areas, and issues to be      sample; and (2) the RPSMs provided an\n                                                                    adequate analysis of the bank\xe2\x80\x99s CMS and\n                           investigated or targeted. In addition, the\n                           RPSM contains the Risk Profile Matrix,   were broad enough to provide an\n                                                                    understanding of the organizational\n                           which summarizes perceived risk in each of\n                           the CMS elements regarding major         structure of an institution, its related\nDevelopment of the\n                                                                    activities, and compliance risks associated\n                           operational areas. Examiners use the matrix\nRPSM\n                                                                    with each of the institution\xe2\x80\x99s activities. In\n                           to develop a compliance risk profile for an\n                           institution, using various sources of    addition, the use of RPSMs as a planning\n                                                                    tool provides examiners an adequate\n                           information about the institution\xe2\x80\x99s business\n                                                                    method for making an initial off-site\n                           lines, organizational structure, operations,\n                           and past supervisory performance.        assessment of whether the institutions\xe2\x80\x99\n                                                                    management and board of directors identify,\n                                                                    understand, and adequately control the\n                                                                    compliance risks facing the financial\n                                                                    institution.\n                        During the on-site portion of the risk-     There is insufficient evidence in\n                        focused compliance examination, examiners examination workpapers or reports for DSC\n                        determine actual bank practice through      to assure that the extent of on-site\n                        extensive discussions with bank             transaction testing and spot checks was\n                        management and staff, reviews of relevant   appropriate. Compliance examination\n                        documents, and testing of selected bank     workpapers were not always maintained in\n                        transactions. The extent of transaction     a manner that ensures the work performed\nOn-site Transaction\n                        testing and spot checks is based on the     during the on-site portion of the review is\nTesting and Spot\n                        examiner\xe2\x80\x99s assessment of the institution\xe2\x80\x99s  adequately documented, including\nChecks\n                        compliance risk profile, such as whether an transaction testing and spot checks to ensure\n                        operational area is determined to be high   the reliability of the institution\xe2\x80\x99s compliance\n                        risk or the institution\xe2\x80\x99s compliance        review function. Also, examiners did not\n                        management efforts appear weak.             always document whether the examination\n                                                                    reviewed all the compliance areas in the\n                                                                    planned scope of review.\nSource: DSC Compliance Examination Manual and Office of Inspector General (OIG) audit results.\n\n\n\n                                                         4\n\x0cDOCUMENTATION OF ON-SITE TESTING PERFORMED DURING\nCOMPLIANCE EXAMINATIONS\n\nExaminers did not adequately document the scope of the work performed during the on-site\nportion of the compliance examinations. Specifically, for the examinations we reviewed,\nexamination workpapers did not always contain sufficient information to identify examiner\ntransaction testing or spot checks conducted during the on-site portion of examinations or\nwhether the examination reviewed all areas in the planned scope of review. Documentation is\nlacking because examiners did not comply with DSC policy that requires they document their\nwork. As a result, DSC cannot assure that the extent of testing was appropriate for assessing\ninstitutional compliance with regulations except for those areas in which examiners had\nidentified violations and included them in Reports of Examination.\n\nDocumenting Compliance Examination Findings and Transaction Testing\n\nDSC\xe2\x80\x99s June 2003 Revised Compliance Examination Procedures (Transmittal No. 2003-021,\ndated June 6, 2003) section entitled, Documenting Examination Findings, states that examination\ndocumentation should demonstrate a clear trail of decisions and supporting logic within a\nspecified area. Documentation should provide a written record of the examiner\xe2\x80\x99s decisions and\nanalysis and provide support for facts or opinions in the Report of Examination. A well-\nconstructed examination documentation file provides sufficient information to reconstruct the\nexaminer\xe2\x80\x99s decision process for each step of the examination. The information should provide\nsupport for the examiner\xe2\x80\x99s decision to include or exclude a regulation or area of review from the\nscope of the examination and for significant findings. Additionally, examiners should conduct\non-site transaction testing for the operational areas included in the scope of the review.4 The\nnumber of transactions and the particular regulatory requirements to be reviewed should be\ncarefully tailored to weaknesses identified in the CMS as it relates to specific operational areas.\nIn addition, the revised procedures instruct examiners to prepare an examiner summary\nworkpaper for each regulation or area reviewed. This summary, in conjunction with the RPSM,\nshould allow subsequent examiners to clearly identify the scope of work performed and the basis\nfor the examiner\xe2\x80\x99s conclusion.\n\nDSC\xe2\x80\x99s Compliance Examination Manual, Appendix H, entitled, Sampling Guidelines for\nCompliance and CRA, instructs examiners to use judgment in determining the number of loans to\nbe reviewed, depending upon specific circumstances. In addition, not all loan types or\ncharacteristics must be sampled at each examination; however, \xe2\x80\x9cemphasis should be placed on\nthose types of loans that evidenced concerns in the past and those that could result in\nreimbursable violations.\xe2\x80\x9d The policy also states that (1) statistical sampling is the preferred\nmethod and should be used to the greatest extent possible; (2) the examiner should clearly\n\n\n\n4\n  According to the Revised Compliance Examination Procedures, after analyzing the CMS elements in relationship\nto a bank\xe2\x80\x99s operational risks, examiners decide the necessary transaction sampling and testing. The severity of CMS\nweaknesses and operational risk will dictate the intensity of transaction testing; greater weakness and higher risk\nwill generally lead to the review of more transactions. If the examiner finds a moderate degree of risk, then\nsufficient testing should be done to show support for a conclusion. If no transaction testing in a particular regulatory\narea was done in the previous examination, then examiners should perform a spot check of transactions at the\ncurrent examination, even if there are no risk indicators.\n\n                                                           5\n\x0cdocument in the workpapers the sampling method utilized, loan universe and sample size(s), and\nsampling results; and (3) examiners should select independent loan samples for the compliance,\nCRA, and fair lending portions of the examination.\n\nIn June 2004, DSC issued Updated Compliance Examination Procedures, Transmittal\nNo. 2004-032, effective June 30, 2004. According to the June 2004 procedures, the RPSM will\nbe used solely for pre-examination planning. Examiners should no longer update the RPSM to\nreflect changes in the examination scope or to duplicate findings contained in the Report of\nExamination. However, examination workpapers need to reflect any material changes in scope\nand the support for those changes. Material increases or reductions in the examination scope\nmust also be noted in examination workpapers.\n\nDocumenting Reviews of Institutions\xe2\x80\x99 Compliance Review Functions\n\nThe Updated Compliance Examination Procedures require examiners to conduct documentation\nreviews and to interview management regarding the assessment of a bank\xe2\x80\x99s compliance review\nfunctions. The procedures provide a list of questions for the interview and a list of documents\nthat should be reviewed. Based on the interviews and materials reviewed, examiners are to\ndevelop and document a preliminary assessment of the institution\xe2\x80\x99s performance related to\ncompliance reviews and determine whether the institution\xe2\x80\x99s compliance review function is\ngenerally strong, adequate, or weak and the assumptions on which the assessment is based. This\ndetermination is initially made off-site by an examiner and is based on the examiner\xe2\x80\x99s\nassessment of the scope and frequency of the institution\xe2\x80\x99s compliance reviews, the adequacy of\nwritten compliance reports, board of director and senior management responses to those reports,\nand the institution\xe2\x80\x99s follow-up procedures to verify that the corrective actions were lasting and\neffective. In addition, the section of the Compliance Examination Manual entitled, Transaction\nSampling and Testing, states that depending on the importance of a component, the examiner\nmay find it appropriate to spot check a few transactions to show support for a favorable\nconclusion by the compliance review function. If no transaction testing in a particular regulatory\narea has been done in the previous examination, then spot checks should be done at the current\nexamination, even if there are no risk indicators. If testing is not considered necessary to support\nconclusions about an element of the CMS or with respect to a particular operational area,\nexaminers should retain appropriate documentation in the workpapers and include comments in\nthe RPSM and/or the compliance examination report to support this conclusion.\n\nExaminer Documentation of On-site Transaction Testing and Spot Checks\n\nOur review of compliance examination workpapers showed that for 20 of the 36 examinations\nwe reviewed, examiners had not documented the extent of transaction testing or spot checks they\nperformed during the on-site portion of the examination. Some of the Reports of Examination\ncontained comments related to the transaction testing and spot checks conducted. However, the\ncomments related only to areas of violations identified during the examination and did not\naddress the entire scope of the examination. As a result, we could not determine whether all\nareas included in the planned examination scope had been reviewed or to what extent examiners\ntested or spot checked transactions unless examiners had identified violations in compliance\nareas in the Report of Examination.\n\n\n\n                                                 6\n\x0cAs a result of the lack of documentation to support on-site transaction testing and spot checks\nconducted during compliance examinations, DSC cannot assure that the extent of testing was\nappropriate except for those areas in which examiners identified violations and included them in\nReports of Examination. In addition, the lack of examination documentation can affect\nsubsequent examinations in that it will be more difficult for examiners to decide the appropriate\nscope of those examinations. DSC management plans to reassess the revised compliance\nexamination procedures in relation to using the RPSM solely for pre-examination planning.\n\nRECOMMENDATION\n\nWe recommend that the Director, DSC, clarify and reinforce requirements that examiners\nadequately document the scope of the work performed, including transaction testing and spot\nchecks of the reliability of the institutions\xe2\x80\x99 compliance review functions, during the on-site\nportion of compliance examinations.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 16, 2005, the Acting Director, DSC, provided a written response to the draft\nreport. The response is presented in Appendix IV of this report. We did not include the\nattachments to DSC\xe2\x80\x99s response in Appendix IV, which were excerpts from Regional Director\nMemorandum No. 2005-035, Revised Compliance Examination Procedures, dated August 18,\n2005. DSC concurred with the recommendation, stating that guidance had been issued related\nto:\n\n\xc2\xbe   documenting changes in the scope of an examination,\n\xc2\xbe   documenting spot checks of regulations,\n\xc2\xbe   providing cross checks to additional information available in Examiner Summaries, and\n\xc2\xbe   providing descriptions of examination procedures used to conduct the examination.\n\nThis guidance was distributed to all DSC staff on August 31, 2005.\n\nOIG Evaluation: We determined that the agreed-to corrective action has been completed and is\neffective. This recommendation is resolved, dispositioned, and closed.\n\nAppendix V contains a summary of management\xe2\x80\x99s response to the recommendation and the\nstatus of the recommendation as of the date of this report.\n\n\n\n\n                                                7\n\x0c                                                                                                   APPENDIX I\n\n                           OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe overall objective of this audit was to determine whether DSC\xe2\x80\x99s risk-focused compliance\nexamination process results in examinations that are adequately planned and effective in\nassessing financial institution compliance with consumer protection laws and regulations.\nSpecifically, we determined whether DSC examiners are adequately risk-scoping compliance\nexaminations and conducting appropriate levels of transaction testing and making sound risk-\nscoping decisions when relying on the work of the financial institutions\xe2\x80\x99 internal or external\ncompliance review functions. We performed our audit from October 2004 through August 2005\nin accordance with generally accepted government auditing standards.\n\nScope and Methodology\n\nThe scope of the audit was limited to a review of banks examined under the revised DSC risk-\nfocused compliance examination policies and procedures in the Revised Compliance\nExamination Procedure, dated June 30, 2004. To accomplish our objective, we reviewed the\nmost current and the prior compliance examination reports and corresponding examination\nworkpaper files, policies, and procedures related to the compliance review function, prior OIG\naudit reports and DSC Internal Review reports, laws and regulations, and management tracking\nreports for each examination. We also interviewed DSC management officials and staff at FDIC\nheadquarters and three regional offices.\n\nThe judgmental sample included 36 FDIC-supervised banks for which compliance examinations\nhad been conducted from August 2003 through November 2004 at 3 FDIC regional offices. Our\nsample included 14 \xe2\x80\x9c1\xe2\x80\x9d rated banks, 14 \xe2\x80\x9c2\xe2\x80\x9d rated banks and 8 \xe2\x80\x9c3\xe2\x80\x9d rated banks.5 The asset sizes\nof the banks ranged from $8.5 million to $1.2 billion. The compliance examinations in our\nsample resulted in 11 banks whose compliance ratings were downgraded, 7 banks whose ratings\nwere upgraded, and 18 banks whose ratings remained the same. Of the 36 banks, 8 had\ncorrective supervisory actions imposed on them as a result of the compliance examinations:\n2 banks were issued Memorandums of Understanding, and 6 banks were encouraged to adopt\nBank Board Resolutions.6 The eight banks had a compliance examination rating of \xe2\x80\x9c3.\xe2\x80\x9d\n\nPertinent Laws and Regulations\n\nCompliance examinations are the primary means the FDIC uses to determine whether a financial\ninstitution is meeting its responsibilities to comply with the requirements of federal consumer\nlaws and regulations. DSC has established policies and procedures for risk-focused compliance\nexaminations in the FDIC Compliance Examination Manual. For the banks in our sample, the\nprocedures generally were followed, although examination workpapers did not always contain\nsufficient information to identify examiner transaction testing or spot checks conducted during\n\n\n5\n  The FDIC follows the Uniform Interagency Consumer Compliance Rating System approved by the Federal\nFinancial Institutions Examination Council in 1980.\n6\n  Informal actions such as Bank Board Resolutions and Memorandums of Understanding are voluntary\ncommitments made by the board of directors of a financial institution. They are neither publicly disclosed nor\nlegally enforceable.\n                                                         8\n\x0c                                                                                                 APPENDIX I\n\nthe on-site portion of examinations or whether the examination reviewed all areas in the planned\nscope of review. Our review did not find any instances of FDIC noncompliance with pertinent\nlaws and regulations.\n\nReliance on Computer-based Data, Government Performance and Results Act, Fraud and\nIllegal Acts, and Internal Control\n\nValidity and Reliability of Data from Computer-based Systems\n\nWe used computer-based data for background information and in generating a universe of\nexaminations from which to select our sample. We reviewed examination records that supported\ndata from the DSC System of Uniform Reporting of Compliance and CRA Examinations\n(SOURCE)7 and the Scheduling, Hours, and Reporting Package (SHARP)8 reporting systems to\ndetermine the accuracy of data used during the audit. The SOURCE system is used to:\n(a) generate examination schedules that support workload projections by incorporating quarterly\nplanning and benchmark hours, (b) capture examination summary information, (c) store\nexamination documents for divisional sharing and historical reference, and (d) support\nlegislatively mandated reporting. The SHARP system is an hours-based tracking system that\nprovides uniformity in collecting examination hours information. Based on our review, we\nfound that the SHARP system does not provide detailed information on work conducted by\nexaminers. Also, the SHARP system does not have time codes for all of the regulations\nreviewed during compliance examinations. According to our discussions with DSC staff,\nSHARP is not used to track or monitor examination coverage of regulations \xe2\x80\x93 the system is more\nuseful for field office management.\n\nPerformance Measures\n\nIn fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals:\nFDIC-supervised institutions are safe and sound and consumers\xe2\x80\x99 rights are protected, and FDIC-\nsupervised institutions invest in their communities.9\n\nTwo strategic objectives support the consumer rights strategic goals. The first strategic objective\nis that consumers have access to easily understood information about their rights and the\ndisclosures due them under consumer protection and fair lending laws. The FDIC\xe2\x80\x99s annual\nperformance goals related to this objective are:\n\n\xc2\xbe Provide effective outreach and technical assistance on topics related to the CRA, fair lending,\n  and community development.\n\n\xc2\xbe Meet the statutory mandate to investigate and respond to consumer complaints about FDIC-\n  supervised financial institutions.\n\n7\n  SOURCE is a management support and decision tool that replaced the Banking Information Tracking System\n(BITS) Compliance Statistical System as the system of record for the compliance and CRA examination program\nand is extensively used by compliance field supervisors, examiners, review examiners, and Washington office policy\nstaff. SOURCE differs from its predecessor BITS in that SOURCE is used not only to support reporting\nrequirements and a system of record, but also to provide substantial task support for examination staff.\n8\n  All DSC employees use SHARP to track examination hours.\n9\n  The goals are stated in the FDIC 2005-2010 Strategic Plan and the FDIC 2005 Annual Performance Plan.\n                                                        9\n\x0c                                                                                              APPENDIX I\n\nThe second strategic objective is that FDIC-supervised institutions comply with consumer\nprotection, CRA, and fair lending laws. The FDIC\xe2\x80\x99s annual performance goals related to this\nobjective are:\n\n\xc2\xbe Conduct CRA and compliance examinations in accordance with the FDIC\xe2\x80\x99s examination\n  frequency policy.\n\n\xc2\xbe Take prompt and effective supervisory action to monitor and address problems identified\n  during compliance examinations of FDIC-supervised institutions that receive a \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d\n  rating for compliance with consumer protection and fair lending laws.\n\nNone of the strategic goals, strategic objectives, or performance goals related directly to the\nobjectives of our audit.\n\nFraud and Illegal Acts\n\nOur audit program did include steps for providing reasonable assurance of detecting fraud or\nillegal acts. We did not identify any illegal acts or abuse or potential areas susceptible to illegal\nacts or abuse.\n\nInternal Controls Reviewed\n\nDuring the audit, we gained an understanding of relevant control activities related to compliance\nexaminations by examining DSC policies and procedures as presented in the DSC\xe2\x80\x99s Compliance\nExamination Manual and Regional Directors Memoranda. We identified DSC\xe2\x80\x99s internal controls\nrelated to the risk-focused examination process for compliance examinations. Specifically, we\nreviewed the systems used for measuring, monitoring, and reporting program performance;\ncompliance with laws, regulations, policies, and procedures; and the reliability of computer-\nbased data. We also reviewed the results of DSC Internal Control Reviews related to compliance\nexaminations. We identified documentation weaknesses related to the on-site portion of\ncompliance examinations as discussed in the finding section of this report.\n\nSummary of Prior Audit Coverage\n\nOn March 26, 2002, the OIG issued Audit Report 02-009, Division of Compliance and\nConsumer Affairs\xe2\x80\x99 Risk-Scoping Process for Fair Lending Examinations, on the fair lending\nexamination risk-scoping process as conducted by the Division of Compliance and Consumer\nAffairs.10 The objective of the audit was to assess: (1) the adequacy of the Federal Financial\nInstitutions Examination Council (FFIEC) Interagency Fair Lending Examination Procedures for\nthe FDIC\xe2\x80\x99s pre-examination planning for fair lending examinations of small banks, (2) the\nFDIC\xe2\x80\x99s implementation of the FFIEC interagency procedures as they relate to identifying fair\nlending risks during the off-site pre-examination planning phase of the fair lending reviews, and\n(3) the related DCA internal controls. The 2002 audit focused on the FDIC\xe2\x80\x99s application of the\nFFIEC Interagency Fair Lending Procedures and did not directly relate to the scope of our audit.\n\n\n10\n  Effective June 30, 2002, the FDIC\xe2\x80\x99s Division of Supervision and Division of Compliance and Consumer Affairs\n(DCA) were merged to form the new DSC.\n                                                      10\n\x0c                                                                               APPENDIX II\n\n            RISK-FOCUSED COMPLIANCE EXAMINATION GUIDELINES\n\nEffective June 30, 2003, DSC implemented revised procedures to enhance the FDIC's\ncompliance examination process by focusing increased attention on an institution\xe2\x80\x99s compliance\nmanagement system. As noted in the DSC Memorandum entitled, Revised Compliance\nExamination Procedures, Transmittal No. 2003-021, dated June 6, 2003, the revised procedures\ncombined the risk-based examination process with an in-depth evaluation of an institution\xe2\x80\x99s\nCMS. Examiners were required to evaluate how well an institution\xe2\x80\x99s compliance responsibilities\nare administered and managed, consistent with the level and complexity of its operations. The\npurpose of this approach was to allow examiners to devote more attention to those institutions\nrequiring additional supervisory attention to help improve weak compliance functions and reduce\nthe risks of future noncompliance. The new procedures did not change existing fair lending\nexamination procedures or CRA performance evaluations. According to the revised procedures,\nall financial institutions would benefit from a comprehensive assessment of compliance\nmanagement systems. The examiner\xe2\x80\x99s identification of root causes of compliance management\ndeficiencies and regulatory violations would serve as a blueprint for helping institution\nmanagement improve its operations. Moreover, the revised compliance examination procedures\nwould elevate the importance of comprehensive compliance risk management by institutions of\nall sizes.\n\nEffective June 30, 2004, DSC updated the compliance examination procedures. As noted in the\nDSC Memorandum entitled, Updated Compliance Examination Procedures, Transmittal\nNo. 2004-032, dated June 30, 2004, modifications to the examination procedures were centered\nin three distinct components of the compliance examination program: Report of Examination\ncomments, the RPSM, and the CIDR.\n\n\xc2\xbe The Report of Examination changes included guidance to: (a) reduce examination scope\n  comments, (b) consolidate examiner recommendations and management\xe2\x80\x99s commitment to\n  corrective action, (c) consolidate the summary assessment of compliance management, and\n  (d) omit the Supervisory Comments page in most instances.\n\n\xc2\xbe The RPSM requirements were changed to ensure that the RPSM would be used solely for\n  pre-examination planning. Upon completion of the RPSM, the Examiner-in Charge is\n  required to submit it to the Field Supervisor for review and approval. Once the RPSM is\n  approved by the Field Supervisor, examiners no longer need to update the RPSM to reflect\n  changes in examination scope or to duplicate findings contained in the Report of\n  Examination.\n\n\xc2\xbe To better tailor the CIDR to the unique circumstances of each institution, the following\n  approaches were made available for examiners when requesting information from banks. For\n  compliance examinations of large, complex banking organizations, examiners should use the\n  existing CIDR. For compliance examinations of smaller, less complex institutions,\n  examiners should use the \xe2\x80\x9cInterview Sheet\xe2\x80\x9d and a revised Compliance Information and\n  Documentation Request (CIDR II) to simplify the information-gathering process by\n  removing tables and separating information requests from document requests.\n\n\n\n\n                                              11\n\x0c                                                                                   APPENDIX III\n\n           SIGNIFICANT VIOLATIONS CONTAINED IN THE REPORTS OF\n                   EXAMINATION FOR THE SAMPLE BANKS\nSignificant violations found during the compliance examinations for the 36 banks in our sample\nare identified below. Significant violations are defined as deficiencies that may adversely impact\nthe financial institution. We found that 75.6 percent of the total significant violations related to\nseven regulations: Truth in Lending, Equal Credit Opportunity, Real Estate Settlement\nProcedures Act, Truth in Savings, Home Mortgage Disclosure Act, Flood Insurance, and\nExpedited Funds Availability. The scope of this audit did not include a detailed review of the\nsignificant violations; however, we plan to include an audit of supervisory actions taken for\ncompliance-related violations in our Fiscal Year 2006 Assignment Plan.\n\n            Lending Regulation Violations                                  # of Banks\n            Truth in Lending (TIL)                                              17\n            Equal Credit Opportunity Act (ECOA)                                 17\n            Flood Insurance                                                     11\n            Real Estate Settlement Procedures Act (RESPA)                       17\n            Fair Credit Reporting                                                4\n            Credit Practices Rule                                                0\n            Fair Housing Act                                                    2\n            Homeownership Counseling                                             1\n            Homeowners Protection Act (HPA)                                      1\n            Home Mortgage Disclosure Act (HMDA)                                 13\n            Preservation of Consumer Claims and Defenses (PCCD)                  0\n            Consumer Leasing                                                     0\n            Deposit Regulation Violations                                  # of Banks\n            Electronic Funds Transfer (EFT)                                      7\n            Truth in Savings (TIS)                                              16\n            Expedited Funds Availability (EFA)                                  11\n            Interest on Deposits                                                 2\n            Specialty Regulation Violations                                # of Banks\n            Community Reinvestment Act Technical Requirements                    4\n            Advertising of Membership                                            1\n            Branch Closings                                                      0\n            Right to Financial Privacy Act                                       4\n            Privacy of Consumer Financial Information                            2\n            Non-Deposit Products                                                 5\n            Electronic Banking                                                   0\n            Consumer Complaints                                                  0\n            Fair Debt Collection Practices                                       0\n            Interstate Banking & Branching Efficiency Act (IBBEA)                0\n            Children\xe2\x80\x99s Online Privacy Protection Act (COPPA)                     0\n\n\n\n\n                                                   12\n\x0c                       Appendix IV\n\n\n\nCORPORATION COMMENTS\n\x0c     APPENDIX 1V\n\n\n\n\n14\n\x0c                                                                                                                                                    APPENDIX V\n\n\n                                                   MANAGEMENT RESPONSE TO RECOMMENDATION\n     This table presents the management response on the recommendation in our report and the status of the recommendation as of the date\n     of report issuance.\n                                                                                                                                          Open\n                                                          Completion Date         Monetary       Resolved:a     Dispositioned:b            or\n                  Corrective Action for                                           Benefits       Yes or No        Yes or No              Closedc\n               Recommendation: Taken or\n                    Planned/Status\n         DSC concurred with the\n         recommendation. DSC clarified and\n         reinforced requirements that examiners\n         adequately document the scope of the\n         work performed, including transaction\n         testing and spot checks of the\n         reliability of the institutions\xe2\x80\x99                  August 31, 2005           None           Yes                Yes                Closed\n         compliance review functions, during\n15\n\n\n\n\n         the on-site portion of compliance\n         examinations. This clarification was\n         provided in a written memorandum\n         entitled, Revised Compliance\n         Examination Procedures, which was\n         issued to all DSC personnel.\n\n     a\n         Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n           (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n           (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n               management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\n     through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n         Once the OIG dispositions the recommendation, it can then be closed.\n\x0c"